Scott Ludlam (WA, Australian Greens) Share this | Link to this | Hansard source

I have a very quick question for the government and Senator Fierravanti-Wells, who looks as though she might have been thrown in the deep end. Is Senator Fierravanti-Wells aware of whether the Attorney-General will be gracing us with his presence this morning?

Concetta Fierravanti-Wells (NSW, Liberal Party, Parliamentary Secretary to the Minister for Social Services) Share this | Link to this | Hansard source

Yes, the Attorney-General is on his way. (Quorum formed)

Scott Ludlam (WA, Australian Greens) Share this | Link to this | Hansard source

I thank the Attorney for joining us. Probably Senator Xenophon will reserve his right to ask general overview questions. I ran through most of mine last night so I am proposing to start working through the amendments. I also offer a note of thanks to the clerks, who probably worked all night to give us the running sheet for a very complicated set of amendments from a few different sources. I now seek leave to move Australian Greens amendments (1) and (4) on sheet 7669 together.

Leave granted.

I move:

(1) Schedule 1, item 1, page 3 (line 14), omit "specified in or under section 187AA", substitute "specified in section 187AA".

(4) Schedule 1, item 1, page 8 (line 1) to page 9 (line 2), omit subsections 187AA(2) to (5), substitute:

(2) For the purposes of items 2, 3, 4 and 6 of the table in subsection (1), 2 or more communications that together constitute a single communications session are taken to be a single communication.

These amendments are identical to those of Senator Leyonhjelm, so presumably he will add some commentary as well. This debate has been somewhat bogged down from the very beginning in definitions of the kind of data that the government wants telecommunications carriers to collect. Everybody would be well aware that the Attorney did not help his cause at all by not being clear, but that is not a confusion that is isolated to the Attorney-General alone. The discussion has been bogged down in definitions of metadata, which is a phrase that is not even really a term of art in the telecommunications sector. It can mean pretty much what people want it to mean.

It is extraordinary, firstly, that the government initially proposed to bring together a bill to impose on telecommunications carriers an obligation to store material that some of them were not storing. There are matters on the record from Telstra and from the Communications Alliance that this is not just about extending a reporting obligation for material that is already being stored. No matter what the government thinks, and the communications minister has been just as guilty of making this contention, it is simply not the case. The Attorney-General's Department has been proposing an arbitrary two-year mandatory data retention capture and storage plan since at least 2008 that I am aware of, but as recently as January the government still did not know what kinds of material it wanted to force industry to keep. That is remarkable in itself.

The second interesting thing is that the government wanted to keep that definition of the material it wanted industry to store outside the act, in regulations, which makes it much easier for the definition to arbitrarily change. That has flow-on consequences for service providers who have to adjust their systems, not only in capturing the material but in organising for it to be retrieved, presumably reasonably promptly for agencies that will occasionally be in a serious hurry, and brought to light in a form that could potentially be used as evidence in court proceedings. What the government wanted to do, and the bill before us is not completely dissimilar to the government's original intention, was have the definition in regulations so they could change it very rapidly, without consultation with the technology sector or the general public and without recourse to this parliament.

The government has taken a measure of credit, and I guess we should observe it where it is due, that the definition of metadata is now in the bill—I will have a little more to say about that later—but the government still reserves the right to arbitrarily change the definition of material it wants to capture and store and then give itself 40 sitting days for parliament to ratify the decision. Last count, looking at the parliamentary calendar, there were only 58 Senate sitting days this year—the House sits a little bit more than we do because we have four weeks of budget estimates—which means that the time between the government, potentially on a whim, deciding that it needs new material and needs to expand the scope of the bill in the regulations and parliament catching up and ratifying the decision could be seven or eight or nine months.

We will move an amendment down the track that takes that extraordinary 40-day sitting day window and restricts it to four, but that amendment will only be necessary if this amendment of the Australian Greens does not prevail. What this amendment seeks to do is remove the ability of the Attorney-General to arbitrarily widen the scope of metadata that it insists telecommunications carriers trap and store.

Before I commit the amendment to the chamber, I am very interested to know what criteria the Attorney-General proposes to apply—because my understanding is that this will reside with your office, Attorney—for adding information types to the scope of the bill. So what would we expect to be happening behind the scenes prior to an announcement by the government that it is has actually widened the scope of the data retention scheme? What process will you follow and what criteria will you have regard to before making such a decision?

George Brandis (Queensland, Liberal Party, Attorney-General) Share this | Link to this | Hansard source

Senator Ludlam, as you have acknowledged, the definition of the description of the categories of metadata has been located in the bill. The government has done that, having considered the recommendations of the PJCIS, and it now forms proposed section 187AA.

Proposed section 187AA sets out in descriptive terms six different categories. In the event, because of changes in technology, technologies develop or emerge in which information of the kind referred to in those six broad categories are retained and those technologies answer the description of metadata, then the bill preserves the flexibility in using the mechanism to which you have adverted of expanding the definition. The purpose here is not to expand the scope of that which is the subject of the retention obligation but rather to give the government the flexibility to keep pace with evolving technology so that, if there is an evolution so that a currently unanticipated form of metadata were to emerge following the development, for example, or a new device or a new form of communication, then that could be added to the list subject to the approval of the parliament after the requisite 40-day sitting day period. It is not the intention to alter the nature of the categories merely to enable us to have the flexibility to contemporise the description of the way in which metadata falling within those categories is retained.

Scott Ludlam (WA, Australian Greens) Share this | Link to this | Hansard source

I thank the Attorney for his answer. I still do not feel any closer to an understanding—although I think I understand where the government is coming from, and there is no contention about the fact that the technology changes and new categories of data would be brought into existence over the life of the bill such as this. But I am still no wiser as to what process would be followed—for example, are there consultation periods that I have missed within industry, given how long and contentious it has been settling the definition to date? What comfort can we give industry today? Will it be given set periods of time or completely arbitrary period of time to comply with new categories of material that the government decides it requires to be kept?

George Brandis (Queensland, Liberal Party, Attorney-General) Share this | Link to this | Hansard source

Senator Ludlam, as you know, there has been very extensive consultation with industry in the development of this dataset, and the government anticipates that that consultation with industry will continue. This is a collaborative process, so you ask what sort of process the government will undertake—to which the best answer I can give you is: a collaborative process in consultation with industry.

This is classically an example of the government of necessity collaborating with industry in a partnership to achieve a common end. What we envisage is continuing collaboration with industry. The scheme established by this bill, which imposes, as you know, the primary obligation upon industry of necessity, envisages that the government will continue to consult with and collaborate with industry in any decision about amending the descriptions of the dataset and would undoubtedly be arrived at in consultation with industry.

Scott Ludlam (WA, Australian Greens) Share this | Link to this | Hansard source

But I am correct in my understanding that there is nothing in the bill that prescribed particular periods of time or anything to give guidance to you or your successor in adding certain kinds of data to the scope.

George Brandis (Queensland, Liberal Party, Attorney-General) Share this | Link to this | Hansard source

No, that is correct. The way this bill will operate when it is enacted is dynamically so that there will always be of necessity, as I said in answer to your previous question, collaboration with industry. In my view it would fetter the flexibility of that collaboration were there to be prescriptive machinery provisions of the kind that you seem to be suggesting incorporated within the bill.

Scott Ludlam (WA, Australian Greens) Share this | Link to this | Hansard source

I thank the minister for that. Why is the government insisting that service providers retain data volume? What possible national security consequence could that have?

Just so the minister is completely aware of where I am going, there has been plenty of conjecture as to the ways in which this bill, when it is enacted into law, will be used through processes of civil discovery or, potentially, criminal prosecution should the law relating to copyright infringement ever change. That volume usage would be very useful if rights holders, for example, were attempting to track down illegal file sharing. What is the government's rationale for including volume uses on page 8 of the bill in the table, 'Kinds of information to be kept'?

George Brandis (Queensland, Liberal Party, Attorney-General) Share this | Link to this | Hansard source

Those provisions were developed in consultation with the security agencies and on the basis of the information that they gave to the PJCIS. Since you raise the matter, Senator, can I reassure you—and I do not know how many times I have to say this—that it is not the purpose of this bill to enable, through a process of third-party discovery, access by civil parties in civil litigation of the kind that you refer to, or at all. This is about facilitating criminal investigations.

Scott Ludlam (WA, Australian Greens) Share this | Link to this | Hansard source

Senator Brandis, I am delighted to take you at your word; there are many who will not. One of the things that we are here to do today is track down the possible unintended consequences of a bill such as this. I would like to get some details particularly about location. There is a lot of concern around the fact that included well and truly within the scope of the bill is location of a particular device when a call connects and when it disconnects or when a communication is initiated and when it is concluded. For example, for a mobile phone handset within a metropolitan area where you are surrounded by probably half a dozen cell towers at any given time, to what degree of accuracy does that allow a particular device to be located?

George Brandis (Queensland, Liberal Party, Attorney-General) Share this | Link to this | Hansard source

Senator Ludlam, the bill does not prescribe that. What the bill prescribes is the obligation, and the obligation is described in terms of the data set required to be retained. As to the operation of the scheme from a technical point of view, that really is beyond the scope of the bill. It is not something on which I am going to respond to you. What this bill sets up is a scheme that works upon the application to a primary obligation defined in terms of the data set of the obligations of telecommunications companies. A technical question of that kind is well beyond the scope of the bill.

Scott Ludlam (WA, Australian Greens) Share this | Link to this | Hansard source

The technicalities may be beyond the scope of what you are able to provide us with, but they are certainly not beyond the scope of the bill. Under item 6, topic column 1, 'The location of equipment, or a line, used in connection with a communication', in the way that the bill is currently drafted:

The following in relation to the equipment or line used to send or receive the communication:

(a) the location of the equipment or line at the start of the communication;

(b) the location of the equipment or line at the end of the communication. Then you have put, helpfully, two examples:

Cell towers, Wi-Fi hotspots. I can see that some of your advisers have arrived, which is good. I do not think that it is anything like outside the scope of the bill to tell us to what degree of accuracy does that allow particular devices to be pinpointed. That is well within the scope of the bill.

George Brandis (Queensland, Liberal Party, Attorney-General) Share this | Link to this | Hansard source

Senator Ludlam, you are referring, I think, to item 6 of the table in proposed section 187AA, is that right?

Scott Ludlam (WA, Australian Greens) Share this | Link to this | Hansard source

That is right.

George Brandis (Queensland, Liberal Party, Attorney-General) Share this | Link to this | Hansard source

The obligation is as set out in item 6. The obligation is not expressed in terms of quantitative measurement. It creates an obligation to retain certain data by reference to, in this case, that which is described in item 6. That is a qualitatively, not quantitatively, expressed obligation.

Scott Ludlam (WA, Australian Greens) Share this | Link to this | Hansard source

I might throw to one of my colleagues; I do not feel like I am getting very far. Because we are reading from the same page of the same bill, I understand very well that there is not a quantitative obligation and that you are not required, as a service provider, to track people within a few tens of metres. Nonetheless, I think it is well within the scope of the bill and a reasonable question to put to you; when you place this obligation on a mobile phone service provider, because this is not material that is retained or held for very long periods of time at a moment, I think that users of telecommunications products have a right to know the degree or the accuracy to which government agencies will heretofore be able to track them around the landscape. Is it within a few kilometres, within a few hundreds of metres or within a few tens of metres? I am talking about the example of a mobile phone handset in a metropolitan area surrounded by half a dozen cell towers or so. I guess that this debate is going to run for a while. If you do not have the requisite technical information to hand then I would ask that you take it on notice and provide it to us.

George Brandis (Queensland, Liberal Party, Attorney-General) Share this | Link to this | Hansard source

Senator Ludlam, you seem to be missing the point here. That is not the work of item 6 in the table in proposed section 187AA. The work of item 6, or indeed each of the six items in the table, is to describe an obligation, not to enact a technical specification, but to describe the character of an obligation, and that is what it does. There will be an implementation phase, as you know, over 18 months after this bill is enacted. Indeed, one of the principal purposes of the implementation phase is to enable the operationalisation of these obligations by the ISPs and the telecommunications services providers to be settled. That is not what this bill does; it is not what the bill purports to do.

Might I point out to you that it is no part of the purpose of this legislation to, as you put it rather colourfully, follow people around. It is no part of the purpose of this bill to follow people around. It is the purpose of this bill to require the retention of metadata of the six categories or kinds described in the schedule to which you are addressing your questions. The technical specification as to how that obligation is to be given effect is not what this bill does.

David Leyonhjelm (NSW, Liberal Democratic Party) Share this | Link to this | Hansard source

Minister, I am wondering if you can help us with an explanation. I am assuming that you are not in favour of these amendments, which are identical to the ones I moved, yet I cannot see that there is anything harmful about them—in fact, they improve the bill. Amendment (1) confines the kinds of information defined in the bill to those brought into the bill on the recommendation of the PJCIS, so it reduces the scope for regulatory creep. Amendment (4) does away with the elaborate 40-day approval regime for new additions introduced into the bill thanks to the PJCIS, and I am not suggesting that the 40-day approval is not an improvement on what was there before. Can you elaborate why you do not find them acceptable.

George Brandis (Queensland, Liberal Party, Attorney-General) Share this | Link to this | Hansard source

The government has taken this bill through a very, very long process, through what is bound to be a long committee stage here in the Senate yesterday and today and perhaps tomorrow, and through a very long PJCIS inquiry, in which I think you would acknowledge we have shown a great deal of flexibility in accepting recommendations made by that committee—in fact, we have accepted them all. The government is satisfied with the bill in its ultimate form. The opposition is satisfied with the bill in its ultimate form. All I can say to you is that the bill in the form in which it is now presented to the Senate is in our judgement the best shape in which the bill can be drafted.

David Leyonhjelm (NSW, Liberal Democratic Party) Share this | Link to this | Hansard source

With great respect, what you are saying is you have reached agreement with your political opponents but you will not entertain reaching a political agreement with what I would consider a political ally, which is myself and my party, nor with Senator Ludlam, who coincidentally has arrived at the same place. I find it a peculiar position to take.

George Brandis (Queensland, Liberal Party, Attorney-General) Share this | Link to this | Hansard source

You are entitled to your view, but the bill in its current form, including on the issue, by the way, of the description of the dataset and the inclusion of that description in the act and the provisions for the amendment or alteration of the dataset where that becomes necessary, in fact gives effect to the PJCIS recommendations. I do not want to repeat myself, but this has been a long process: many minds have looked at this issue and this is where both government and opposition have come after a very extensive inquiry. I think you have acknowledged that the amendments that the government has adopted improve the bill from its initial form. The process of endless iterations of any piece of legislation cannot go on forever. This is where we have landed and this is what we present to the Senate for its consideration.

Nick Xenophon (SA, Independent) Share this | Link to this | Hansard source

I will be as expeditious as possible, because I know there is a lot of material to get through. Last night in the chamber the Attorney was very clear that this legislation does not require anything more from telecommunications companies than the storage of their data. I do not have last night's Hansard in front of me, but in a recent ABC interview, the Attorney said

This law does not change the status quo. That's the first point to be made. Telecommunication companies have always retained this information. It has always been accessible to ASIO, to state and federal law enforcement authorities without warrant. At heart all this legislation does is to mandate the continuation of the status quo.

I think that is a fair summary of what the Attorney said last night. I hope it is not a misrepresentation of what was said in the chamber last night—I do not want it to be. Given that this amendment is about not allowing the definition of metadata to be changed unilaterally, so it is relevant to this amendment, in my view, what does the Attorney say about the comments made by Telstra's Chief Information Security Officer, Mike Burgess, who told a conference recently:

Telstra will be required to retain data under the legislation that it has no need to — and doesn't — retain today.

Mr Burgess said that at a Cisco Live panel on cybersecurity on Monday of last week. He says that more information is being sought to be retained by this legislation than they currently retain. I hope I have quoted the Attorney fairly. I believe I have quoted Mr Burgess fairly. I will quote directly what Mr Burgess said at the panel:

We're not saying 'give us the money because security is going to be an issue'. There is data required under this new law … that we do not collect today, that we have no reason to collect today, and we will be collecting it.

I am just trying to get clarification of that. The Attorney has been very consistent in his position in his statements to the ABC and to the chamber last night. Mr Burgess, as the Chief Information Security Officer for Telstra has said something quite different. I am just trying to understand where we are at in respect of that.

George Brandis (Queensland, Liberal Party, Attorney-General) Share this | Link to this | Hansard source

Although I know Mr Burgess, and I acknowledge his long and deep experience in this field, I have not seen his remarks. It is not my practice to comment on remarks that are quoted to me that I have not seen. That having been said, you do paraphrase me accurately. This is an obligation to maintain the status quo. It is also an obligation to regularise and standardise that which is done across the industry. As I said last night in response to the question from one of the crossbench senators, there is no uniform, consistent data-retention period across the industry. According to evidence given to the PJCIS inquiry by one of the witnesses in relation to telephony, some telecommunications companies currently retain data for up to seven years, and some retain data for periods less than two years. So, in routinising and standardising the data retention obligation period to two years, in some cases we are reducing the retention period from the status quo, in some cases we are extending the data retention period from the status quo. We are not changing the character of the obligation. Let me rephrase that: the obligation that this legislation imposes does not change the character of the commercial practice from that in which the ISPs and telecoms have engaged, but it does standardise it.

Nick Xenophon (SA, Independent) Share this | Link to this | Hansard source

If I can just go to the issue: I will repeat what has been attributed to Mr Burgess—I do not have the privilege of knowing Mr Burgess, as the Attorney does; I do not think I will be able to get a statutory declaration from him in the next 10 minutes in the course of this debate but what I think I can do is to put this in the most neutral and objective terms possible. If Mr Burgess actually said—as he is reported to have said: 'there is data required under this new law …'—and just to be fair, I will say that there is an ellipsis there in the quote—'that we don't collect today, that we have no reason to collect today, and we will be collecting it. That is what he is reported to have said.

I understand what the Attorney has said about standardising the periods of data collection, but what Mr Burgess is reported to have said is, in fact, that there is additional data—additional material—that is being required of Telstra and of telecommunications companies, which goes beyond what they are currently collecting. That is why—it is reported—Mr Burgess has said:

We're not saying, 'give us the money because security is going to be an issue'. There is data required under this new law … that we don't collect today, that we have no reason to collect today, and we will be collecting it.

If the Attorney could assume that that is what has been said, the question is whether he agrees with that particular assumption or not.

George Brandis (Queensland, Liberal Party, Attorney-General) Share this | Link to this | Hansard source

Senator Xenophon, I understand your point perfectly, although I should point out to you that the obligation is an obligation to retain, not an obligation to collect. That being said, you rightly say—and it is a point I have acknowledged already in the course of the debate—that there are variable practices across the industry. There are variable practices across the industry in relation to the period of time for which data is retained and the actual nature of the metadata that is retained. I think you are particularly focusing on the second of those two points. The practices do vary, but I am advised that there is nothing in the data set—that is, at the tabled proposed section 187AA—that is not commonly retained across the industry. Individual telecommunications companies and individual internet service providers might have different practices in relation to particular metadata. They may have variable practices in relation to the periods for which they retain that metadata, but the character of the obligation which is standardised and routinised by this bill is to impose as a statutory obligation what is industry practice. I acknowledge that that industry practice is variable, but it is industry practice.

Nick Xenophon (SA, Independent) Share this | Link to this | Hansard source

I want to conclude this as quickly as I can: last night the Attorney stated, consistent with the statements he made to the ABC: 'So the core provision of this bill is to impose upon telecommunications companies an obligation to retain the metadata that they hitherto had retained anyway for two years. What the bill does, in effect, is freezes the status quo.' Given what is reported to have been said by Mr Burgess, the Chief information Security Officer of Telstra—that they will actually be having to retain other data which they do not currently retain—does the Attorney concede that there are circumstances when—and it may freeze the status quo in some circumstances; I understand that—there may actually be a requirement on telecommunications companies to retain more data than they currently do? I am asking this on the basis of Mr Burgess's reported remarks.

George Brandis (Queensland, Liberal Party, Attorney-General) Share this | Link to this | Hansard source

Well, as I have said to you, Senator Xenophon, I have not read Mr Burgess's remarks. So you may wish to interrogate me about them, but I have nothing to say about them without having read them. That being said, my response to the point you make is, as I said earlier, that this legislation standardises an industry practice. There are, in relation to the retention and metadata, variable practices across industry, both as to the length of time for which data is retained—as I said before, in some cases up to seven years—and as to the particular metadata that is retained, so that there will be some telecommunications companies or internet service providers that retain a particular dataset; there will be others that retain a somewhat differently described dataset. There is a variable practice. The effect of this legislation is to standardise that practice, both as to that which is required to be retained and the length of time for which it is required to be retained. That said, I repeat, Senator Xenophon, that the effect of the legislation is to freeze the status quo. When you standardise something where the practice is variable, obviously, in standardising that practice, there will be required of some companies greater or lesser obligations than they might currently observe. But, as a general proposition, the obligation contained in proposed section 187AA reflects practice across the industry. That is what the legislation requires the relevant members of the industry to observe in respect of their own companies.

Nick Xenophon (SA, Independent) Share this | Link to this | Hansard source

My background is as a suburban lawyer; I do not think I could ever interrogate the Attorney—ask him some questions maybe, but interrogate him? No. As I understand the answer from the Attorney—and I am sorry if I am being a bit slow on this—that means that there will be some circumstances where there will be an obligation for greater retention of data than some telecommunications companies currently retain in their current practices.

George Brandis (Queensland, Liberal Party, Attorney-General) Share this | Link to this | Hansard source

The answer to your question, Senator Xenophon, is yes. Let me give you an example. Let us say that there is a particular ISP, for example, that at the moment has the practice of retaining metadata for 18 months. Obviously the imposition of a two-year standard would mean in that theoretical case that the retention obligation would expand the industry practice in the case of that particular company by six months. But, as I said to you before—and this would be in evidence given to the PJCIS—there are some cases where telephone companies retain metadata for up to seven years and there are some cases in which ISPs retain metadata for up to five years. I refer you to page 120 of the PJCIS report. The obligation in those cases will be reduced significantly by a period of either five or three years. That is the duration of the retention obligation.

As to the substance of the retention obligation, that is to be standardised. It is to be standardised to the table which appears in proposed section 187AA of the bill. Just as with the duration of the retention of metadata, so with the dataset there will be some ISPs and telephone companies that retain all of that data, some that retain some but not other of that data and some that retain data that is beyond the obligation described in the table. That obligation is also standardised. So the dataset is standardised and the duration is standardised. That will mean in respect of some industry participants a lower obligation. In respect of some industry participants, it may mean a higher obligation. We are trying to capture an industry standard and apply it uniformly across the industry.

Scott Ludlam (WA, Australian Greens) Share this | Link to this | Hansard source

Just on this point, I think we may be getting closer to a resolution of the facts. I will just read a brief quote from the communications minister that he put to ABC radio earlier this month. He said:

The only thing the data retention law is requiring is that types of metadata which are currently retained will be retained in the future for at least two years.

That sounds rather harmless, but it is not true. It is actually not the case at all.

Senator Xenophon has read the views of Mr Burgess from Telstra. I have something here that the CEO of the Communications Alliance, Mr John Stanton, put to Computerworld in an interview in December last year. It is worth reading it in full. He said:

The telecom industry “has grown a little weary of hearing this proposal described as a requirement to do no more than service providers do to today …

“It’s in most cases far from that. It is a data creation regime as well as a data retention regime.”

…   …   …

“There are elements of the dataset, for example, that require data to be collected and manipulated in ways it’s not today. Historical aggregate records of upload and download volumes, for example – I don’t know of any provider who manages to put that material today. There’s no business requirement for it, and the feedback from some of our members is that will be quite difficult to do.”

That was the CEO of the Communications Alliance, representing pretty much the entire Australian telecommunications community.

I draw the minister's attention to his own bill—proposed subsection 187A(6):

To avoid doubt, if information that subsection (1) requires a service provider to keep in relation to a communication is not created by the operation of a relevant service, subsection (1) requires the service provider to use other means to create the information, or a document containing the information.

In black and white, your own bill says to the service providers that, 'If you do not presently keep the material outlined in the table'—and this is the table that we have been discussing in 187AA—'this places an obligation on you to create the information.' It uses the words 'create the information'. That is why I think people are a little sick of hearing this from the communications minister and others. If anything, Attorney-General, you have provided a slightly more nuanced view to us this morning than the communications minister has been providing. Spokespeople have been waving their hands, saying, 'It doesn't require the creation of anything you haven't already been doing.' It is not true. Please stop saying that.

George Brandis (Queensland, Liberal Party, Attorney-General) Share this | Link to this | Hansard source

I refer you to what is the principal provision—proposed subsection 187A(1):

A person (a service provider) who operates a service to which this Part applies (a relevant service) must keep, or cause to be kept—

in accordance with proposed section 187BA—

for the period specified in section 187C:

(a) information of a kind—

specified in or under proposed section 187AA—

… or

(b) documents containing information of that kind;

relating to any communication carried by means of the service.

That is the primary obligation. That is the key provision of this bill. That is the obligation conferring provision of this bill. What it requires is for data to be kept, not created. You point to proposed subsection (6) of proposed section 187A, which might perhaps be regarded as an anti-avoidance provision. But the primary obligation is to keep that which is set out in proposed section 187AA for the period set out in proposed section 187C—that is, two years—in accordance with proposed section 187BA, which specifies the manner in which the data is to be kept.

Senator, if you keep proposed section 187A(1) foremost in your mind, I think you will understand what the purpose and effect of this bill is. In relation to the question of whether or not the bill mandates the status quo, it does, because what it mandates is a common industry standard. I have acknowledged—and it has never been controversial—that there are variable practices, because this is an industry with a multiplicity of players. I know, Senator Ludlam, you know this industry well. It has a multiplicity of players with various commercial practices in relation to both datasets and retention periods. So, of course, when you standardise and make uniform across an industry so described a single obligation then there are going to be variances in the way in which individual industry players retain data at the moment and what they do in compliance with the statutory obligation that will be imposed upon them. But what it is designed to do is to reflect and make uniform a common industry standard.

Scott Ludlam (WA, Australian Greens) Share this | Link to this | Hansard source

To my mind, the Attorney just described proposed subsection (6) as an anti-avoidance measure. I understand why you are reading the context of proposed subsection (1), because it identifies the primary obligation of the service provider. Again, to avoid any ambiguity, proposed subsection (6) says that, if you are not creating this, then you are going to have to. Maybe we are just dancing around terminology here. Minister, when you talk about inconsistencies or varying practices within the industry, what you are really telling us is that some providers—potentially smaller ones—are going to be forced to keep material they presently do not in order to create the standardised obligation. I do not think there is any way of avoiding that conclusion, which was why I guess some people find the member for Wentworth's sweeping statements that carriers will not be forced to catch and store stuff that they presently do not somewhat irritating. It is simply not accurate. If you force standardisation across the industry, you will force individual players to do things and store things that they do not presently do. The reading of the bill is actually fairly clear in that regard. That process of standardisation and levelling-ups, that everybody is treating the same kinds of information in the same way, will force some carriers to create categories of material that they presently do not. I do not propose to detain us too much longer, because I think the reading of the bill is actually fairly clear.

George Brandis (Queensland, Liberal Party, Attorney-General) Share this | Link to this | Hansard source

Senator, I do not want to repeat what I said in answer to your previous question or indeed to Senator Xenophon. I think you understand what I am saying to you. But might I make two observations. First of all—and I think you acknowledge this, Senator Ludlam—the primary obligation is in proposed subsection (1). Proposed subsection (6) is inserted into the bill as an anti-avoidance measure so that, particularly during the implementation phase, an ISP or a telecommunications provider cannot vacate, as it were, the retention of metadata that it currently retains and then say, 'I'm sorry; none of this applies to us.' Proposed subsection (6) is an anti-avoidance measure which, as the opening words of it say, is for the avoidance of doubt. But the primary obligation imposed by this legislation is the obligation imposed by proposed subsection (1).

Secondly, you raise the relevant question of compliance by small ISPs in particular. We acknowledge that there may be particular burdens on small ISPs. That is why there is an 18-month implementation period to give effect to, to enable all players in the telecommunications industry, not just the giants like Telstra, the opportunity to adjust their business model and business practices to be compliant. But also if I may refer you, please, to proposed section 187K in division 3: that provides an exemptions regime—and the example you give, Senator, is a particularly relevant one—so that, in circumstances in which a small ISP may find compliance with the proposed 187A(1) obligation unreasonably burdensome, an exemption can be made for it.

David Leyonhjelm (NSW, Liberal Democratic Party) Share this | Link to this | Hansard source

Minister, I am going to change the subject for a moment. As you know, I am a libertarian. One of my preoccupations is regulatory overreach, and associated with that is incremental or creeping regulation. What I would like to do is seek your views on clause 187AA(2), which says:

(2) The Minister may, by legislative instrument, make a declaration modifying (including by adding, omitting or substituting) the table in subsection (1), or that table as previously modified …

Yesterday in question time you responded that the heading of an email would not be included in metadata. I have checked on that. Bearing in mind that this legislation will remain on the books long after both of us are in our dotage, what is to prevent you or a subsequent minister from bringing in a legislative instrument, such as that envisaged in clause (2), and adding the heading or, indeed, the content of an email or any other communication of a similar nature?

George Brandis (Queensland, Liberal Party, Attorney-General) Share this | Link to this | Hansard source

Senator Leyonhjelm, the answer to your question, if I understand you correctly, is proposed section 187A(4). Although proposed section 187AA(2) gives the minister the power by legislative instrument and subject to the requirement of parliamentary assent within 40 sitting days to modify the description of the dataset in the table subjacent to proposed section 187AA(1), a minister may never, by legislative instrument or any form of delegated legislation, derogate from the statute itself. The fundamental distinction between content and information about a communication, or metadata, is preserved in particular by proposed subsection (4) of proposed section 187A, so that the extension of the reach of the act to content, which is prohibited by that section, would never be derogated from or varied by ministerial declaration under proposed section 187AA(2) by an amendment to the dataset, because the description of dataset is subject to that overarching statutory limitation.

Penny Wright (SA, Australian Greens) Share this | Link to this | Hansard source

I am interested in the confusion that seems to exist around the term 'content' and the term 'metadata'. I am interested to ask the Attorney-General whether metatags are included within the type of data that will be required to be retained under the bill or under regulations in the future.

George Brandis (Queensland, Liberal Party, Attorney-General) Share this | Link to this | Hansard source

Senator Wright, nothing that is not in the dataset is required to be retained.

Penny Wright (SA, Australian Greens) Share this | Link to this | Hansard source

I am interested to know then whether metatags are within the dataset?

George Brandis (Queensland, Liberal Party, Attorney-General) Share this | Link to this | Hansard source

Senator Wright, if you offer me a definition of metatags and what you mean when you use that word, I will tell you whether they are within or without the table.

Penny Wright (SA, Australian Greens) Share this | Link to this | Hansard source

That really highlights the confusion and the difficulty of around this. I do not profess to be an expert in this area by any means, but I am guided by concerns that have been raised by people who have a lot more knowledge about it than I. I am going back to concerns that were articulated when this bill was considered by the Parliamentary Joint Committee on Human Rights. Among other things, this legislation engages the right of privacy, and the committee's 20th report actually states that the committee acknowledges the desirability of having a definition of 'content' which would therefore be excluded from the requirement for retention but is capable of keeping pace with technological changes. The committee expressed concern that without a clear definition of 'content' there is the potential that what constitutes content could be interpreted restrictively so that the scope of data to be retained is broader than what is required to achieve the government's stated objective. In other words, the scope of the dataset to be retained may be disproportionate to the objective which is to be achieved.

The reason I have raised the issue of metatags is that the committee noted that the bill could potentially see data retained that does actually include aspects of content. The example given was the idea of metatags, which are used by website developers to provide search engines with information about their sites and may contain significant information about a website, including aspects of its content. However, it is unclear whether it is intended that metatags will be prescribed in the regulations as data to be retained for the purposes of the scheme. I think it is a fair question to ask the Attorney-General whether or not metatags will be prescribed in the regulations as data to be retained for the purposes of the scheme.

George Brandis (Queensland, Liberal Party, Attorney-General) Share this | Link to this | Hansard source

Senator, with respect, just because you are confused does not mean that there is confusion about the bill; it means that you are confused about the bill. So let me respond to you. We know, of course, Senator, there is a lot of jargon that is used in discussion in this area of policy. Now that you have given me the definition that you are attribute to the word 'metatag', I can answer your question. No: anything that reveals content is explicitly excluded, even if it be material that contains what would otherwise be metadata—that is, that would otherwise fall within one of the six categories described in the table to proposed section 187 AA. If it also reveals content, then it is beyond the scope of the bill.

Penny Wright (SA, Australian Greens) Share this | Link to this | Hansard source

First of all, I suspect you were not listening particularly carefully to my question, because I actually introduced it by indicating that it was not I who was confused; rather it was a view that was represented by a committee of this parliament, comprised of members of both Houses and which is also reflecting discussion in the broader Australian community. You may wish to suggest that this is just one individual of 23 million people who is a bit confused but I do not think that accurately characterises the concerns here. I am going to leave that somewhat belittling response aside. I am not an expert in this area and I do not profess to be. But, in a sense, I am not the proponent of this legislation either. 'Metatag' is clearly a term that is used by website developers; I would presume it is a term that is recognised and used, which is why I think it is being referred to here. Is it a term that you have ever heard of before? Do you accept or understand that this is a term that is generally used to describe something that is used by website developers to provide search engines with information about their sites? I am sure there are people out there who would be interested to know whether or not you accept that this is actually a term that is generally used.

George Brandis (Queensland, Liberal Party, Attorney-General) Share this | Link to this | Hansard source

I have heard the term before, but I caution against diverting this debate into an argument about the meaning of technical language, much of which is jargonistic. The very reason the bill has been drafted in the way it has, with a broad definition of content and with a broad intendment of content and very specific descriptions of metadata, is to say the obligation only attaches to that which falls within one of the six categories in the table. And it does not attach to content. If, for example, something contained both content and metadata and the two were unable to be separated, the obligation in the bill does not apply to it. That is the very point of not defining content by category but defining metadata by category; so that the words in clause 187A(4) are generic.

Let me read them to you:

This section does not require a service provider to keep or to cause to be kept information that is the contents or substance of a communication.

Then there is a note:

This paragraph puts beyond doubt that service providers are not required to keep information about telecommunications content, or (b) information that (i) states an address to which that communication was sent on the internet from a telecommunications device using an internet access service provided by the service provider and (ii) was obtained by the service provider only as a result of providing the service.

There is another note:

This paragraph puts beyond doubt that service providers are not required to keep information about subscribers' web browsing history.

Then it goes on through three more specific provisions that are designed to put beyond doubt the extensiveness of the concept of content.

That is the exclusion. All content is excluded. Metadata, if it answers the description of one of the six categories in the table, is included. But because the overall provision is to exclude content, if there were a situation in which metadata answering a description of the table were so co-mingled with content that the two could not be separated, the governing provision is—you are a lawyer, Senator; you know this—that a general overarching prohibition will govern in a situation like this. The general governing provision against the disclosure of content or not mandating the retention of content would be the operative provision.

Penny Wright (SA, Australian Greens) Share this | Link to this | Hansard source

I think it is because I am a lawyer that I inherently seek certainty and clarity around these issues. I would like then to confirm what I think I just heard you say, Attorney-General—that is, the six examples in the table under 187AA are exclusive definitions of what may be retained. My reading of that section is that, under subclause 1, the following table sets out the kinds of information that a service provider must keep or cause to be kept, in which case it would suggest that they were examples but not exclusive examples. It is the very fact that there is not a prescription that is causing concern. Can you please confirm that these six items in the table are the exclusive requirement as to what is to be retained.

George Brandis (Queensland, Liberal Party, Attorney-General) Share this | Link to this | Hansard source

Yes, I can confirm that, Senator. I have been trying to convey that to you and your colleagues for some little while now in this debate. The retention obligation is imposed by clause 187A(1):

A person (a service provider) who operates a service to which this 10 Part applies (a relevant service) must keep, or cause to be kept, in 11 accordance with section 187BA and for the period specified in 12 section 187C: 13

(a) information of a kind specified in or under section 187AA; or 14

(b) documents containing information of that kind; 15

relating to any communication carried by means of the service.

So by the obligation creating provision of this bill—that is, the proposed section of the act—clause 187A(1) specifically limits the retention obligation to that which is specified in clause 177AA—that is, that which is specified in the table. I think therefore, Senator, with respect, you incorrectly use the word 'example'. These are not examples; these are the six categories of information to which the retention obligation created by clause 187A(1) attaches.

Penny Wright (SA, Australian Greens) Share this | Link to this | Hansard source

In that case it is somewhat mystifying to me, I suppose, as to why the wording in subclause 1 is that it is the kinds of information that a service provider must keep or cause to be kept. It is not written in the way that one would normally expect to see an exclusive definition written.

However, I am also seeking to clarify what I think you said earlier. I want to be really sure that I understand this. You are saying that if there is any other data that is outside those descriptions in the table that could potentially involve something that could be seen as being associated with content, there will be no requirement to retain that.

George Brandis (Queensland, Liberal Party, Attorney-General) Share this | Link to this | Hansard source

No. I am going to have another go at this, Senator, so you are no longer mystified. Content is not the subject of a retention obligation. That much is clear from clause 187A(4). The only thing that is subject to a retention obligation is information of a kind specified in or under clause 187AA, or documents containing information of that kind. Those which are required to be kept under clause 187AA are the six categories of information, which we have been referring to generically in this debate as 'metadata', set out in the table—and that is it. Unless there were to be a ministerial declaration—which, of course could not contradict clause 187A(4)—of additional categories, the retention obligation is limited only to that which is set out in the table in clause 187AA(1). That obligation is further limited by the exclusion in clause 187A(4) so that if it reveals content it is not subject to the retention obligation, either.

David Leyonhjelm (NSW, Liberal Democratic Party) Share this | Link to this | Hansard source

I would like to follow up on that. Clause 187A(4) does say:

This section does not require a service provider to keep, or cause to be kept:

(a) information that is the contents or substance of a communication;

I would like you, please, to clarify this. In the case of an email where the subject of the email is contained in the heading, is that equivalent to content or substance? In the case of an email where there is nothing in the heading, does the heading comprise the data to be retained? In other words, in what situations might an email be considered not content or substance?

George Brandis (Queensland, Liberal Party, Attorney-General) Share this | Link to this | Hansard source

The answer to your first question is: no. The heading of an email is content, and therefore it is within the exclusion.

David Leyonhjelm (NSW, Liberal Democratic Party) Share this | Link to this | Hansard source

Under all circumstances?

George Brandis (Queensland, Liberal Party, Attorney-General) Share this | Link to this | Hansard source

Under all circumstances. Let me say that again. The heading of an email is content and is therefore subject to the exclusion in all circumstances. I must confess, Senator Leyonhjelm, that I did not understand your second question. You seem to be positing a situation in which there was no content line in the email. If there is no content line in the email then there is nothing that can be either within or without the exclusion: there is nothing there.

Scott Ludlam (WA, Australian Greens) Share this | Link to this | Hansard source

I just have one or two questions to follow up and then I am happy to commit this amendment; I am happy to move on through the running sheet. Attorney, perhaps you could explain to us why you think it is necessary to have potentially six or eight months delay between deciding to add a new service provider or a new content of metadata to be captured. This extraordinary delay—40 sitting days—could, I think you would agree, go for seven or eight months, depending on the sitting schedule at the time.

We both accept the fact—I am not going to offer any contention—that technology changes and there will be new services designed and new categories of material. You see those coming. You have it identified that it needs to be brought into the scope of the bill. You bring forward a relatively uncontroversial amendment and then the parliament signs it off. Why this extraordinary eight months delay? Why has this been crafted in the bill as, effectively, an executive decision which the parliament is to catch up with months later. Why not do it using the ordinary legislative process?

George Brandis (Queensland, Liberal Party, Attorney-General) Share this | Link to this | Hansard source

I should say that the selection of 40 sitting days was not mine. It was the recommendation of the PJCIS. So, in order to meet the concerns of those who were worried about the possibility of an arbitrary regulation-making power not being supported by legislation the government adopted the PJCIS recommendation.

I do not sit on the PJCIS, of course. They arrived at the 40 sitting-day standard or time frame. Had I been a member of the PJCIS would I have adopted 40 days, 30 days, 20 days or 50 days? I do not know. But in a spirit of comity the government decided to adopt the unanimous view of the PJCIS that 40 days was the appropriate period.

By the way, Senator Ludlam, do not disregard how unusual this is in terms of additional protections. Ordinarily, of course, where a regulation-making power is conferred there is no obligation to support that regulation by the introduction of legislation, at all. The regulation is, of course, subject to the disallowance powers of either house of the parliament but in an ordinary case a regulation is not required to be supported by legislation, at all. So this is, if you like, an additional safeguard measure to lend consistency to the government's decision to locate the descriptions of the metadata required to be retained within the act rather than in regulations

I think you can see the point, Senator, that it would be very odd—having decided to put the descriptions of the information, the subject of the retention obligation, into the act itself—then to allow that to be avoided by allowing the minister to use a regulation-making power to add new categories, which is why we have said these have to be legislated for as well.

As to 40 sitting days, it does not strike me as an obviously unreasonable length of time; nevertheless, that is what the PJCIS, in its wisdom, decided to recommend and the government—eager to oblige the critics of this bill—adopted all of the PJCIS's recommendations, including that one.

Jacinta Collins (Victoria, Australian Labor Party, Shadow Cabinet Secretary) Share this | Link to this | Hansard source

As we seem to be moving towards the first set of amendments, I might indicate the Labor position on this matter. These amendments would remove the capacity to modify the dataset by regulation. Presently, the bill allows for such modifications on a temporary basis. As we have been discussing, regulations altering the dataset will cease to have effect after the 40 sitting days. Any permanent alteration must be achieved by amendment of the act, and the bill requires that any such amendment goes first to the PJCIS for review.

I note that those arrangements are the result of the committee's report and were insisted upon by Labor. The government's original bill allowed the entire dataset to be determined by regulation. Labor agrees that as much as possible the detail of the scheme should be set out in the primary legislation. We think this has been achieved and therefore we will be opposing these amendments.

Scott Ludlam (WA, Australian Greens) Share this | Link to this | Hansard source

That is an immense surprise. Just to be clear, the effect of this amendment is that the ordinary legislative powers of the Senate would be restored if the government of the day decided it wanted to widen the scope of the bill and require more data to be captured. This is material that could not necessarily be conceived of at the moment. I have no argument about the fact that this is likely to happen. Scope creep is built into the DNA of the bill. Where I disagree is that it should not be a regulation-making power. The government should be able to make its case and state it plainly to this parliament so that the parliament can then widen the scope. I do not see the necessity for doing things as backward as an executive decision being made and then leaving it to the PJCIS to work out whether it is a good idea and the parliament to ratify or not six to eight months down the track.

This amendment removes the ability of the Attorney-General of the day to arbitrarily increase the scope of the scheme through regulation. I have made my reasons for wanting to do that very clear. I would put one final question to the Attorney before we commit this one to the vote, unless other senators have questions. Recommendation 3 of the Parliamentary Joint Committee on Intelligence and Security said:

To provide for emergency circumstances, the Committee recommends that the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 be amended so that the Attorney-General can declare items for inclusion in the data set under the following conditions:

It then steps through them; effectively, you have enacted those with reasonable fidelity.

We do not have any kind of description at all as to what the emergency circumstances are. I am interested to know. Emergency implies the necessity of a fairly rapid decision. Since it does not appear to be in the bill, what definition will the government be adopting in its definition of 'emergency'? That is very different from the set-up you described before, which is the introduction of new services or the gradual evolution of technology. That is not an emergency, that is what we expect. What does the government believe will be an emergency that would require this kind of executive decision making rather than the ordinary legislative processes of this parliament?

George Brandis (Queensland, Liberal Party, Attorney-General) Share this | Link to this | Hansard source

I am not the author of those words. The authors of those words are the PJCIS. I think I understand the purpose or motive of those who made the recommendations—that is, to allow for a regulation-making power in circumstances where the development of technology means that the efficacy of the data-retention regime would be compromised were the ordinary parliamentary processes to be observed. That is why the bill has been drafted in this manner.

It is a provision that will operate in unusual circumstances. 'Emergency circumstances' is not a lawyer's term of art. Senator Wright, your colleague is always urging further definitions. At the end of the day, we are all limited by the English language and we cannot pursue an infinite regression through the thesaurus. Where words have a reasonably commonly understood English-language meaning, in my view, we ought to leave it at that. Where they are technical terms, perhaps they can be understood by reference to the technical language of their particular discipline. Emergency circumstances is a flexible concept but the mischief it seeks to address is circumstances where a development might occur so rapidly that it derogates from the efficacy of the regime.

Scott Ludlam (WA, Australian Greens) Share this | Link to this | Hansard source

What the PJCIS specifically recommended what was that this power be made available to the government, to the Attorney-General of the day, 'to provide for emergency circumstances'. The drafting that has emerged, that has been incorporated into your bill—that you are presenting and speaking for today—has no emergency circumstances provided for. The power to add data to the dataset, by these unilateral declarations, is not limited by any circumstances, emergency or otherwise. It is completely open.

The Attorney brought forward examples of new services being developed and new kinds of devices creating new kinds of data. That is not an emergency. That is the distinction I am drawing. There is no constraint on the power of the government of the day, for any reason that it feels fit—justified or unjustified—to demand that service providers begin capturing more material. That is the point I am trying to make. I do not know whether the Attorney wants to address that comment—otherwise, I am happy to commit these amendments now to the chamber. They are amendments (1) and (4) on sheet 7669 which would remove that arbitrary decision-making power and would restore the ordinary processes that this parliament is used to following.

The CHAIRMAN: The question is that the amendments moved by Senator Ludlam be agreed to.

David Leyonhjelm (NSW, Liberal Democratic Party) Share this | Link to this | Hansard source

Chairman, can you advise: should I present my amendments (1) and (4) on sheet 7661 or withdraw them, since they were a duplication of those?

The CHAIRMAN: We probably would do neither. Those amendments were identical to the amendments that were just voted down, so we simply will not proceed with them, Senator Leyonhjelm. Thank you.

Scott Ludlam (WA, Australian Greens) Share this | Link to this | Hansard source

by leave—I move amendments (1) to (4) on sheet 7692:

(1) Schedule 1, item 1, page 4 (line 16 and 17), omit "40 sitting days", substitute "4 sitting days".

(2) Schedule 1, item 1, page 8 (lines 8 and 9), omit "40 sittings days", substitute "4 sitting days".

(3) Schedule 2, item 3, page 59 (lines 11 and 12), omit "40 sitting days", substitute "4 sitting days".

(4) Schedule 2, item 4, page 61 (lines 29 and 30), omit "40 sitting days", substitute "4 sitting days".

These amendments obviously relate to the matters we have been discussing so far this morning. They go to the fact that the amendment that the parliament just unfortunately disposed of means that the Attorney-General can still make rather arbitrary decisions to attach new categories of metadata to the bill and refer the matter to the PJCIS, and then has to return to parliament within 40 days for ratification of this executive decision. What happens—it could be six or eight months or more after the Attorney's decision is first made depending on the time of year and the sitting schedule—if parliament does not ratify the decision? What would the obligation be? Presumably that lays a fairly heavy obligation on service providers in the meantime—money would need to be spent; systems would need to be set up depending on the volume of material that would need to be collected. What happens to that material if parliament does not ratify the decision? We will just have to take it as read that the money is wasted. Would there be an obligation on service providers to destroy the material they had collected between that executive decision being made and the parliament knocking it back?

George Brandis (Queensland, Liberal Party, Attorney-General) Share this | Link to this | Hansard source

Senator Ludlam, you seem to be arguing the opposite proposition from the one you are arguing immediately before the division. Now you are suggesting that service providers might want to retain data that is not the subject of a retention obligation, whereas before, as I understood you, you are saying that service providers are being subject to an unwelcome cost of requiring them to retain data that they would not wish to provide. The fact is that the provisions in section 187A(2) and following set out certain conditions which must be observed in order to bring any potential new dataset within the reach of the obligation of this section 187A(1). If those conditions are not satisfied that the retention obligation is no longer extant and therefore the requirement of section 187A(1) would no longer apply. You make a point about costs having been incurred—I suppose that is at least theoretically possible but, senator, you seem to be assuming, and you take a somewhat paranoid view, if I may say so, sometimes about what government might do, but if the government were of the view, whether it be a Labor government or a Liberal government or who was, at the description of the dataset in the table in section 187A(1) needed to be enhanced, it is hardly likely that it would avoid cooperating with industry. As I said at an earlier stage in the debate, collaboration and cooperation with industry— this is to establish an industry-based scheme—is integral to the operationalisation of this legislation. Secondly, nor is it likely that the government would seek to delay until the last possible statutorily permissible moment the introduction of legislation to give effect to the declaration. You pointed out before that the PJCIS make these recommendations to deal with emergency circumstances. In emergency circumstances the minister may make a declaration. In my case, if I were the Attorney-General, able and I would have thought in case of any rational Attorney, having made such a declaration he or she would want to go to the parliament as soon as possible.

Jacinta Collins (Victoria, Australian Labor Party, Shadow Cabinet Secretary) Share this | Link to this | Hansard source

Labor will be opposing these amendments. The committee process of the PJCIS lasted some months, heard extensive evidence and involve significant negotiation amongst committee members. Labor is satisfied that the 40-day period proposed by the committee is appropriate.

Scott Ludlam (WA, Australian Greens) Share this | Link to this | Hansard source

I have a few other 'paranoid' questions to put to our Attorney-General. I will try to restate my question, because I do not think he understood where I was coming from. If the Attorney-General decides for whatever reason, good or bad, that new categories of material need to be collected and added to the table we were discussing earlier, the PJCIS agrees, at some point between that decision being made and parliament signing off presumably there will be an obligation on industry to start collecting it, particularly if it is a genuine emergency. If parliament knocks it back, what happens to the material that has been collected in the interim? Is there anything in the bill that creates an obligation to destroy it, is it stranded? What happens to it?

George Brandis (Queensland, Liberal Party, Attorney-General) Share this | Link to this | Hansard source

There is no actual destruction obligation. This whole debate has proceeded against the background of protests on behalf or the critics of this legislation that industry does not want to retain this data for so long. It is hardly likely, it said to me, that those who do not want to retain the data for the statutory minimum period are going to be wanting to retain data that is no longer the subject of a retention obligation. For that reason, by the way, this bill does not contain a destruction obligation when whatever is the relevant period expires, whether it be the two-year period or on the scenario that you have posited in your question, in the event of the parliament after 40 sitting days not upholding a ministerial legislative instrument. As I am reminded, the privacy act would apply to such data in the unlikely event that a Telco or ISP which was affected by it were to retain that data.

Scott Ludlam (WA, Australian Greens) Share this | Link to this | Hansard source

Just to be very clear, before we commit these amendments—unless others have matters that they want to raise—this goes a little further through the running sheet than we have been discussing thus far in that, for anywhere in the bill where the Attorney-General is given that discretion of 40 sitting days and the first amendment having been disposed of, our fallback position, if you like, is to collapse that process from 40 sitting days to four. If it is an emergency or something that anyone could have seen coming, such as a new service being introduced and a bit more routine than an emergency—whatever that might mean—I see absolutely no reason at all why the government of the day and the executive of the day should be given 40 sitting days. That seems immensely leisurely. The Attorney has just assured us that he cannot think of a reason why government would leave it so long. I would actually take him on his word at that.

This amendment in terms of declared information, declared services, declared criminal law enforcement agencies and declared enforcement agencies are issues that we have not really traversed yet,. Anywhere where this 40 sitting day extended period of time is found in the bill would be reduced to four sitting days also known as one sitting week.

George Brandis (Queensland, Liberal Party, Attorney-General) Share this | Link to this | Hansard source

I do not want to be tedious but I think I have addressed that—so perhaps it is not me being tedious. Let me respond again: this was a period that was selected by the PJCIS, and we have adopted their recommendations. You say 40 sitting days seems a leisurely period. I acknowledge your view but I do make the point, as I made in answer to your previous question, that I would not expect any sensible Attorney-General to want to delay it that long.

As for the proposal in this amendment that it be truncated to four sitting days, that is unrealistic. It is quite a process to get legislation onto the parliamentary program: all ministers have to go through the processes of the parliamentary business committee presided over in Star Wars-like fashion by my friend Mr Pyne, the member for Sturt. The competition to get business onto the legislative agenda through the parliamentary business committee for any government for bids to be approved with the limited number of sitting days and indeed sitting hours available is quite an exhaustive process. The suggestion that a bill could be brought on in four sitting days is, frankly, unrealistic, Senator.

Scott Ludlam (WA, Australian Greens) Share this | Link to this | Hansard source

Senator Brandis, I think that may be the first time in 6½ years you actually made me laugh. I will commend these amendments to the chamber, unless others have comments.

The CHAIRMAN: The question is that amendments (1) to (4) on sheet 7692 be agreed to.

Question negatived.

David Leyonhjelm (NSW, Liberal Democratic Party) Share this | Link to this | Hansard source

by leave—I move amendments (2) and (3) on sheet 7661:

(2) Schedule 1, item 1, page 4 (line 3), omit "1992); or", substitute "1992); and".

(3) Schedule 1, item 1, page 4 (lines 4 and 5), omit subparagraph 187A(3)(b)(iii).

These are simple amendments. Amendment (2) confines definition of services to those already in the bill and does not allow them to be added to except by legislation. Amendment (3) prevents further services being simply declared. They have to be enacted, requiring the act to be amended.

Scott Ludlam (WA, Australian Greens) Share this | Link to this | Hansard source

I will just indicate that the Australian Greens will be supporting these amendments. They are substantially similar—maybe even identical—to amendments that we have further down the running sheet. We would also in one of my forthcoming amendments—which I could maybe just speak to really briefly now—propose that, similarly, to the way we wanted to handle the definition of metadata and the definition of information that is caught within the scope of the bill, we fundamentally disagree with this process of doing it by regulation, this very long tail of time for the PJCIS to make up its mind followed by eventual parliamentary ratification.

In the event that these amendments of Senator Leyonhjelm's fail—and you never know your luck in a big city—and Senator Leyonhjelm has indicated constraining the definitions then we would be proposing that, in the instance that the government wanted to expand the service providers caught by the bill, it would do what governments normally do and bring such a decision to parliament. We would be supporting these amendments, and I am just foreshadowing that we have some similar to come.

The CHAIRMAN: The question is that amendments (2) and (3) on sheet 7661 be agreed to.

Question negatived.

The CHAIRMAN: Senator Ludlam, that would also dispose of your amendments (2) and (3) on sheet 7669.

Those amendments took a long time to draft. I would just like to put a very quick question to the Attorney before we move through: what criteria will the government apply for adding a service provider to the scope of the bill?

George Brandis (Queensland, Liberal Party, Attorney-General) Share this | Link to this | Hansard source

The criteria are not specifically set out in the act, but you may be confident that the approach that I would take—and I would expect any rational minister to take whether from the coalition or the Labor Party for that matter—would be to include categories which are similar in effect to the categories set out in the table. Senator, may I say that I am well aware of the sophistication of your knowledge of this area and I take encouragement from your observation that one thing that ought to guide us in approaching this issue is an appreciation that technology will evolve—I think you acknowledge that it might evolve quite rapidly. As technology evolves then information of a similar kind, but retained or embodied on a different platform or medium from that envisaged by the six categories of descriptions in the table, is likely to emerge. If it does then we would make—by analogy, if you like—the natural logical extensions to the six categories in the table.

Jacinta Collins (Victoria, Australian Labor Party, Shadow Cabinet Secretary) Share this | Link to this | Hansard source

Whilst we are on this point, I should indicate that while Labor agrees that, as much as possible, the detail of the scheme should be set out in the primary legislation, we think that that has already been achieved in what is proposed in the bill as was amended in the House. We do understand that some flexibility is required and that the bill reflects that. Senator Brandis referred to issues around emerging technology, but I should also highlight that this arrangement is subject to the 40 days that we were previously discussing.

Scott Ludlam (WA, Australian Greens) Share this | Link to this | Hansard source

I am honestly not sure why the Labor Party even turned up to work today. I am going to stand down amendments (2) and (3) because I think identical amendments have already been dealt with by Senator Leyonhjelm, so I will not be proceeding with those.

The CHAIRMAN: Yes, I helped you dispose of those earlier.

But what I would point out, and it is the reason why we have paused here to make these points, is that you have quite conceivably, presumably unintentionally, could have companies arbitrarily brought into the ambit of this legislation by an Attorney-General of the day. I am sure it would not be one as august as Senator Brandis. Maybe 'Attorney-General Cory Bernardi', for example, in some future government, would decide to bring a whole new sector or new platform of industry within the scope of the data retention act, as it will be, whatever the view of the PJCIS. That would then get committed to parliament seven or eight months later, and the parliament may disagree, but you would have had platforms, industries or companies arbitrarily brought within the ambit of an act that imposes quite stringent collection requirements on them that are potentially quite expensive only to be told eight months down the track that, 'No, we got it wrong; the parliament disagrees.'

That is why we have paused here. This eight- or nine-month lag seems to me totally unseemly both in the case of an emergency that you did not see coming, where you would need to move very rapidly, and also in the case of gradual technological evolution, where you could simply make the case and then legislate rather than having this arbitrary decision by executive fiat that then either gets backed up and endorsed by parliament months and months later or not. Anyway, I think I have made my point.

I move Australian Greens amendment (5) on sheet 7669:

(5) Schedule 1, item 1, page 10 (lines 16 to 34), omit subsections 187C(1) and (2), substitute:

(1) The period for which a service provider must keep, or cause to be kept, information or a document under section 187A is the period:

(a) starting when the information or document came into existence; and

(b) ending 3 months after it came into existence.

I foreshadow that what we are going to propose to do later in the running order is contract the two-year data retention period, for which no case has been made. It seems to me that where the two-year period came from is somewhat lost in the mists of time. I think, Senator Brandis, this came up briefly last night, and you observed that it fell out of the PJCIS or out of the agencies themselves. It is shorter than five years and it is longer than 12 months, and that is where we have landed. To me, that is not particularly satisfactory. The Australian Greens will be seeking to contract that two-year obligation period to three months, partly in order to reduce costs and also the potentially invasive nature of holding on to this material for such a long period of time.

I am foreshadowing that because our amendment (5) removes the requirement that data be kept for at least two years after the closure of a customer account. I would be keen to hear the government's account or reasoning as to why data should be kept for that long after the closure of account, because that could effectively mandate material be hanging around for four years. For example, if I generate particular contact records, location records or whatever—there are masses of material that is going to be created—and then, two years after creating that record, I close my account, the government proposes that it should be retained for another 48 months. There is no real justification for that, as far as I am concerned. It is entirely possible that data could be kept way beyond two years. Many service providers leave customer accounts open even if the customer is not explicitly using them. That is no fault of the service provider; you could cease using a service, and you are not under any obligation to tell the service provider that you have done so. That, again, creates this very long tail of material hanging around, certainly for much longer periods than two years.

This amendment is reasonably simple. It provides that the period for which the service provider has to keep information is the period starting when the information or document came into existence and ending three months after it came into existence. What that would effectively do is bring it into consistency with the amendment, which I foreshadowed earlier, to contract that two-year period down to three months. This amendment, coming slightly out of order, I guess, would provide that that be the case, even if it is an account that is closed and is no longer active.

George Brandis (Queensland, Liberal Party, Attorney-General) Share this | Link to this | Hansard source

This is a very important question—that is, the length or the duration of the mandatory data retention regime. It is probably instructive to take you through the history of it. The two-year period had its genesis in the first PJCIS inquiry—that is, the inquiry that reported in May 2013. Because I was a member of the PJCIS during the last parliament and participated in the discussion, I can tell you about it. It found form in recommendation 42 of the original PJCIS report. The sixth dot point of recommendation 42 states:

When the legislation was prepared, the two-year period that had been envisaged by the original PJCIS inquiry was adopted. When this legislation was reviewed by the more recent PJCIS inquiry, which reported on 27 February this year, the committee expressed the view in paragraph 4.120:

… the Committee accepts the unequivocal evidence of the national security and law enforcement agencies, which is supported by the international evidence, that a retention period of up to two years is necessary and proportionate for a range of investigations into particularly serious types of criminal and security-relevant activity.

You use the adjective 'arbitrary' as a pejorative, but any time period is arbitrary in the sense that it identifies a particular span of time, whether it is five years, two years or your three months. It is really a question of judgement, and that judgement has to be informed by the best advice of the national security and law enforcement agencies. Let us come back to first principles. The purpose of this legislation is to assist national security and law enforcement agencies in carrying out investigations, in particular in carrying out investigations which establish and identify networks of individual actors.

I remember from the first PJCIS inquiry we had quite a long discussion about what the appropriate period should be. We looked at various international precedents. I cannot call them all to mind at the moment, but in some countries it was more and in some countries it was less. About two years seemed to us to be around the international standard. We asked the national security agencies—I think it might have been a closed session, so I had better be careful in what I say—and I remember the then director-general of ASIO saying that he would prefer a much longer period, because retained metadata is obviously going to have potentially a utility beyond two years, but equally, as a matter of common sense, it is going to be a diminishing marginal utility across time.

The evidence that the PJCIS received was that within two years the overwhelming number of investigations which would seek to have access to metadata will have either been completed or run their course to the stage at which access to the metadata will have been had. This does not exclude the possibility that, for example, information is received by the agencies quite some time after a particular episode or event of concern is the subject of an investigation. It may be that more than two years has expired and the metadata is gone before the agencies appreciate, in the course of an investigation which has commenced well beyond the occurrence of the relevant events, that it might have been useful for them to access metadata. This is admittedly and advertently a limitation on what the agencies in their perfect world would have wanted, which is a longer retention period. Equally, from a practical point of view, we do not consider it appropriate to impose an unlimited obligation or an unreasonably long retention obligation on the industry.

Having looked at a lot of data and received a lot of evidence, as referred to in the first PJCIS report, by the way, from the agencies, particularly the Australian Federal Police, about the usual lifespan of an investigation of the kind with which we were concerned—counterterrorism, transnational and organised crime, and paedophilia—the Australian Federal Police and the other agencies were able to say to us, 'We think that if we had a two-year retention period that would satisfy us in almost all cases, but shorter than that we think from an investigative capability point of view we would run into problems.' So it was not an arbitrary decision; it was a decision informed by the experience and specialist opinion of those who need to access this data for the investigative purpose for which it is retained.

I can assure you, Senator Ludlam, that on the basis of the evidence that I heard at those hearings and the long discussions we had about this very point the idea of three months is ridiculously short. When you consider that we are dealing with complex crime—counterterrorism, transnational and organised crime, and paedophilia—if you think that investigations of that kind can be carried to fruition within a period of three months of first notification to the authorities you are kidding yourself.

David Leyonhjelm (NSW, Liberal Democratic Party) Share this | Link to this | Hansard source

Mr Chairman, can you assist me: have we formally moved Australian Greens amendment (5) on sheet 7669?

The CHAIRMAN: Yes, it is formally on the table now.

I am speaking in support of it. It is substantively the same as my own amendments (5) and (6) on sheet 7661. The rationale behind these amendments is appropriate. To the extent that data retention is used in law enforcement, the vast bulk of access required—I understand that it is at least 70 per cent—is to data that has been retained for three months or less. Retaining data for three months is also consistent with the commercial practices of some ISPs. Their customers reasonably expect their ISP to retain data in order to determine, for example, how they blew their data allowance and how it was used. When such a request comes from the customer it is reasonable; when the demand comes from the government at the taxpayers' expense I consider it to be unreasonable.

I am intrigued by the extent to which the Attorney relies on the advice of law enforcement agencies in relation to why three months is inadequate and two years is appropriate. I have never yet known a law enforcement agency to suggest that a law is too strict, is too stringent or goes too far. In fact, if you asked them, 'Would you like us all to be microchipped so that we can be tracked on a daily basis?', I doubt you would get too many objections. From the point of view of advice as to the appropriateness of a proposal for strengthening the law and making it harder, I hesitate to suggest that they are a very reliable source of advice. The fact is that their use of the data should be the determining factor, and their use of the data shows that three months is an appropriate period. They rarely use it any longer than that.

Jacinta Collins (Victoria, Australian Labor Party, Shadow Cabinet Secretary) Share this | Link to this | Hansard source

I would like to indicate that Labor is satisfied that a two-year period is appropriate, for much the same reasons as Senator Brandis outlined. The Parliamentary Joint Committee on Intelligence and Security heard persuasive evidence to this effect, as it recorded in some detail in its report. This period has not just dropped out of the air, as Senator Ludlam might have been suggesting or characterising from last night's discussions in this debate. I would also like to note that the retention period is one matter expressly listed by the committee as a topic of the statutory review which this bill provides for. I would also like to address the concern that Senator Ludlam has raised about data perhaps being retained for up to four years. It seems he is misinformed on that point. It is only the subscriber details that will be retained for the further two-year period.

George Brandis (Queensland, Liberal Party, Attorney-General) Share this | Link to this | Hansard source

Senator Leyonhjelm, I am not aware of the provenance of the statistic you quote—that 70 per cent of investigations are concluded within six months, I think you said. The advice of those who actually do this as specialists in their daily professional lives was that less than two years would compromise a significant number of investigations. My attention has been drawn to a review by the Government of the Netherlands of its data retention regime, which concluded that a six-month retention period was considered unanimously to be too short, particularly so for complex cases. Senator Leyonhjelm, I just want to emphasise this point to you: the law enforcement agencies want this regime established to deal with complex cases—not with mundane or trivial cases, but with complex cases, particularly counter-terrorism, transnational and organised crime, and paedophilia. It is not ordinarily the experience that cases of that complexity—particularly as cases of this kind do often involve actors in multiple jurisdictions—are able to be concluded in so brief a period as six months. That is unrealistic, Senator Leyonhjelm. That was the very firm view of ASIO, of the AFP, and of the state and territory police forces, who came before us. You may say—and you speak from a libertarian perspective—that we should always take with a grain of salt what the policing powers of the state may tell us. Well, up to a point that is true. But I think we should also listen respectfully to the advice of those who have the professional knowledge that, frankly, nobody this chamber has.

The members of the PJCIS, including the Labor members; sober and serious members like Mr Anthony Byrne the then chairman, former Senator Faulkner, and others, considered two years to be not unreasonable. It is consistent with the experience of other jurisdictions. But certainly, the three-month period which you contend for in this amendment—and, by the way, I understand that you have previously said on two occasions that six months was the appropriate period, so you have changed your mind on this—but to suggest that a complex investigation of this kind can be concluded in three months is, frankly, ridiculous.

Scott Ludlam (WA, Australian Greens) Share this | Link to this | Hansard source

I understand that we are probably going to adjourn this debate in a couple of minutes, so I will just put a couple of quick remarks on the record.

I think Senator Brandis oversimplifies the way in which this material is used. We have a regime of mandatory data preservation notices in Australia, and we have had this regime for a period of time—so telling the chamber that you have three months to solve your complex crime, or to bust your organised crime network, is actually pretty disingenuous. During that period of three months of data retention—or however long the material is retained; some material lies around for a lot longer than that already—you have the ability to make a case, and either to go and get a warrant for fairly invasive tapping of people's phones or for various other forms of intercepts, or you have the ability—if you do not need that level of intrusion—to seek data preservation notices, which is, effectively, targeted data retention. People do not find themselves particularly offended by the concept of data retention for particular suspects or persons of interest. So it is not that we would be demanding that investigative agencies conclude everything within three months, and I think you know that, Senator Brandis. There are plenty of ways in which agencies can go ahead and get the information that they need. You did use a phrase though, Senator Brandis—through you, chair—of diminishing returns, and I acknowledge that that is quite correct. The EU Court of Justice Evaluation report on the Data Retention Directivethat is, the directive that that same court threw out—pointed out that only two per cent of accessed data by law enforcement agencies was over one year old, which I think actually bears out your conclusions about diminishing returns. Goodness knows what it would be for material that was two years old—assumedly practically nothing. The fact that we in Australia do not have actually have statistics such as those is quite instructive. I can quote the statistics from the EU Court of Justice because they bothered to collect the information; the Federal Police do not. In their submission to the PJCIS, the AFP pointed out:

… there are a number of reasons that prevent us from actually quantifying the accurately quantifying the age of requests for historical telecommunications data within the current timeframe.

AFP systems are not configured to capture this information, and extraction of this information from historical records would require significant resources to manually review.

So I can quote statistics from Europe—because they bothered to collect that material—and give some quantification to Senator Brandis's quite correct assertion that there would be diminishing returns. But we have no idea what the numbers are for Australia—maybe they are similar, maybe they are not—because we do not bother to collect the information. And that is why some people, including myself—I guess would put myself in this category—have been quite critical of the fact that two years falls out of the air, as a result of conversations behind closed doors in the PJCIS, but we have to take the word of the investigative agencies and the intelligence agencies without the benefit of evidence.

Progress reported.